[IT-SecNots] [Security-news] HTML Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-069

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-069

Project: HTML Mail [1]
Date: 2018-October-17
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Remote Code Execution

Description: 
The HTML Mail module lets you theme your messages the same way you theme the
rest of your website.

When sending email some variables were not being sanitized for shell
arguments, which could lead to remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006 [3].

Solution: 
Install the latest version:

  * If you are running Drupal 7.x,
     * update to 7.x-2.71 [4].
     * In case you're still using 7.x-2.65, there is a version 7.x-2.66 [5]
       which has only the security patch applied, but you must realize that
       you are running old code and you're missing a number of bug fixes.


Also see the HTML Mail [6] project page.

Reported By: 
  * Damien Tournoud  [7]

Fixed By: 
  * Hans Salvisberg  [8]

Coordinated By: 
  * Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/htmlmail
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2018-006
[4] https://www.drupal.org/project/htmlmail/releases/7.x-2.71
[5] https://www.drupal.org/project/htmlmail/releases/7.x-2.66
[6] https://www.drupal.org/project/htmlmail
[7] https://www.drupal.org/user/22211
[8] https://www.drupal.org/user/82964
[9] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news